Article ID: 175062 - View products that this article applies to.
This article was previously published under Q175062
This article describes the methods available to identify from which system a user logged on. You may choose from one or more of the following methods:
Windows NT AuditingTo determine from which system a user logged on with Windows NT Auditing, perform the following steps:
Date: 10/13/97 Event ID: 528 Time: 10:32:11 AM Source: Security User: JoeSmith Type: Success Audit Computer: MKTINGDOM Category: Logon/Logoff Description: Logon/Logoff: Successful Logon User Name: JoeSmith Domain: MKTINGDOM Logon ID: (0x0, 0x2D0D0) Logon Type: 3 Logon Process: User32 Authentication Pkg: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: \\WKS2
Network MonitorTo determine from which system a user logged on with Network Monitor, perform the following steps:
Src Mac Addr: Dst Mac Addr: Description WKS1 SUNKING C session setup & X, Username = MariaH, and C tree connect & X, Share = \\SUNKING\IPC$ WKS2 SUNKING C session setup & X, Username = JoeSmith, and C tree connect & X, Share = \\SUNKING\IPC$ WKS3 SUNKING C session setup & X, Username = Administrator, and C tree connect & X, Share = \\SUNKING\IPC$
In the example above, WKS1 is the computer where the user is logging on from, SUNKING is the domain controller authenticating the request, and the Description contains the Windows NT domain account being used.
NOTE: The Src Mac Addr may also been shown as a media access control or IP address if the NetBIOS name could not be resolved or the entry is not in the Network Monitor address database.
Using the WINS DatabaseTo determine from which system a user logged on using the WINS database, perform the following steps:
Using the NetBIOS Remote Name TableTo determine from which system a user logged on using the NetBIOS Remote Name Table, perform the following steps:
TITLE : How to Activate Security Event Logging in Windows NT 4.0
TITLE : How to Identify User Who Changed Administrator Password
TITLE : Distinguishing Windows NT Audit Event Records
Article ID: 175062 - Last Review: October 31, 2006 - Revision: 1.1